Authorize your Android App with AppAuth and Identity Server 3

When clicking on the login button, you are getting redirected to a web login page

When your login has been successful, you are getting back to your app and start using it

Login via smartphone browser

But how to achieve this is as an Android developer? Do I need a broad knowledge how to setup a secure infrastructure?

When I start to introduce an authentication and authorization mechanism workflow, I definitely do not implement everything from scratch. Configuring all this stuff can be a real pain in the neck. Moreover, the probability is quite high that crucial security bugs occur.

Therefore, I reused a toolchain consisting of AppAuth for Android and Identithy Server 3 as authorization server in my last project.

AppAuth for Android

AppAuth is a powerful library communicating with OAuth 2.0 and OpenID Connect providers. All the forwarding and redirecting magic from app to browser, and vice versa, works already out of the box. That saves a lot of time and offers less working points to make any crucial security mistakes, excellent!

Embedding the dependency

AppAuth for Android Gradle Dependency

Java

1

compile'net.openid:appauth:0.3.0'

While we were configuring AppAuth last summer, the latest version was 0.3.0. In the meanwhile, it is 0.5.1.

AndroidManifest.xml Configuration

First of all, define an intent filter in the activity where you intent to perform the authorization request to the authorization server.

I recommend to pull the action name out to a string resource value. The name will be reused to perform authorization and access token requests in the upcoming sections.

RedirectUriReceiverActivity

Furthermore, it is required to define a redirect URI Activity. This redirect URI Activity is an invisible activity getting invoked in case of a successful (browser) login. Roughly speaking, it handles the redirection from the browser to the app and returns back the received authorization server response.

Actually, it is possible to define the AppAuth class “net.openid.appauth.RedirectUriReceiverActivity” as RedirectUriReceiverActivity. When I worked with OpenID’s hybrid flow , I had to conduct some minor changes.

An authorization server returns a redirect URI containing all relevant token parameters for the client. AppAuth always tries to resolve the given token parameters as URI query string. However, when hybrid flow has been specified as authorization code flow, Identity Server returns the tokens separated by a hash fragment spec-compliant to the OpenID standard.

Identity Server Authorization URI Response

1

2

3

4

5

6

7

8

de.novatec.android:/oauth2callback

#code=someFancyCode

&id_token=aCrypticIdToken

&access_token=aCrypticAccessToken

&token_type=Bearer&expires_in=7200

&scope=openid%20openid_a%20profile%20profile_a

&state=aState

&session_state=aSessionState

Therefore, the AppAuth RedirectUriReceiverActivity has to be extended. A possible workaround could look like this:

Token Request

Briefly worded, in OpenID Connect the authorization request is the first step to receive an authorization code via a “user-agent”. In our case, the user-agent is the “browser” sending our login data to the authorization server.

The app is now capable of exchanging an authorization code for an access token from the Identity Server. Via this access token, the client is allowed to access the services of your backend infrastructure.

Author

Comment article

Comments

Dominick Baier

Stefan Nägele

Hello Dominick,

thx for the clarification! Great to know that AppAuth is the actual bad guy.

The post has been updated.

Kind regards,
Stefan

24. April 2017 |

Dominick Baier

“Due to the fact that Identity Server 3 does not agree with the URL standard using “?” for query parameters, the RedirectUriReceiverActivity has to be customized. Identity Server 3 is using “#” as separator instead.”

That sentence is wrong – IdentityServer behaves spec-compliant (and is also official certified by the OpenID Foundation). Tokens must be sent after a hash fragment in hybrid flow.